django/docs/releases/1.4.4.txt

==========================
Django 1.4.4 release notes
==========================

*February 19, 2013*

This is the fourth bugfix/security release in the Django 1.4 series.

Host header poisoning
---------------------

Some parts of Django -- independent of end-user-written applications -- make
use of full URLs, including domain name, which are generated from the HTTP Host
header. Django's documentation has for some time contained notes advising users
on how to configure webservers to ensure that only valid Host headers can reach
the Django application. However, it has been reported to us that even with the
recommended webserver configurations there are still techniques available for
tricking many common webservers into supplying the application with an
incorrect and possibly malicious Host header.

For this reason, Django 1.4.4 adds a new setting, ``ALLOWED_HOSTS``, containing
an explicit list of valid host/domain names for this site. A request with a
Host header not matching an entry in this list will raise
``SuspiciousOperation`` if ``request.get_host()`` is called. For full details
see the documentation for the :setting:`ALLOWED_HOSTS` setting.

The default value for this setting in Django 1.4.4 is `['*']` (matching any
host), for backwards-compatibility, but we strongly encourage all sites to set
a more restrictive value.

This host validation is disabled when ``DEBUG`` is ``True`` or when running tests.


Other bugfixes and changes
==========================

* Changed a SQL command syntax to be MySQL 4 compatible (#19702).
* Added backwards-compatibility with old unsalted MD5 passwords (#18144).
* Numerous documentation improvements and fixes.
[1.4.x] Added ALLOWED_HOSTS setting for HTTP host header validation. This is a security fix; disclosure and advisory coming shortly. 2013-02-09 11:32:51 -07:00			`==========================`
			`Django 1.4.4 release notes`
			`==========================`

			`February 19, 2013`

			`This is the fourth bugfix/security release in the Django 1.4 series.`

			`Host header poisoning`
			`---------------------`

			`Some parts of Django -- independent of end-user-written applications -- make`
			`use of full URLs, including domain name, which are generated from the HTTP Host`
			`header. Django's documentation has for some time contained notes advising users`
			`on how to configure webservers to ensure that only valid Host headers can reach`
			`the Django application. However, it has been reported to us that even with the`
			`recommended webserver configurations there are still techniques available for`
			`tricking many common webservers into supplying the application with an`
			`incorrect and possibly malicious Host header.`

			For this reason, Django 1.4.4 adds a new setting, ``ALLOWED_HOSTS``, containing
			`an explicit list of valid host/domain names for this site. A request with a`
			`Host header not matching an entry in this list will raise`
			``SuspiciousOperation`` if ``request.get_host()`` is called. For full details
			see the documentation for the :setting:`ALLOWED_HOSTS` setting.

			The default value for this setting in Django 1.4.4 is `['*']` (matching any
			`host), for backwards-compatibility, but we strongly encourage all sites to set`
			`a more restrictive value.`

			This host validation is disabled when ``DEBUG`` is ``True`` or when running tests.


			`Other bugfixes and changes`
			`==========================`

			`* Changed a SQL command syntax to be MySQL 4 compatible (#19702).`
			`* Added backwards-compatibility with old unsalted MD5 passwords (#18144).`
			`* Numerous documentation improvements and fixes.`